Another decision in a long stream that will make it much harder for EU start-ups companies to catch up to American ones. With absolutely no improvements to actual EU citizen well being.
Yes, let's all marvel at the accomplishment of making everything funded by exploitative and intrusive but largely useless advertisements.
All digital startups are literally doomed without the indiscriminate collection of personal tracking data.
Side note: thank you modern adtech for consistently recommending me products I already bought days and weeks before. Very effective. Gullible companies just keep paying cold hard cash for these garbage recommendation systems because some sales rep talks fluffy about AI and machine learning, it's so mindblowing....
here I thought maximum exploitation would be selling someones identity on the dark web but I come to find on HN that it's actually hashed analytics data D: !!!
I wish the internet was purely an informational no bullshit interface/store instead of all this crap. I welcome these changes. Convert it back into a piece of furniture. Oh no we can't make a billion dollars for no reason.
Isn't this an opportunity for EU startups? By choosing to enforce the law on US companies that EU companies are already generally very compliant with, surely the EU has levelled the playing field for EU companies?
It is. Most startups in the EU have to use more and more businesses in the EU. The selection is little, so way more changes to succeed if your EU based and serve both markets.
I run Simple Analytics [1], which is a privacy-first analytics business from the Netherlands. I see a lot of business from the EU just because we are from the EU as well.
Frankly, as a EU company (based in Germany no less) I'm steering clear of any US SaaS whenever possible. Even if they operate in the EU they're usually a legal headache because privacy compliance is added as an afterthought and they'll often carelessly transfer data to US servers based on assumptions that should have been abandoned when Privacy Shield was torn down in the courts.
Out of the big cloud providers only Azure feels even remotely safe to use (if only because of the privacy reputation of Google and Amazon).
Because their compliance is not an afterthought like the poster above said. You can't even assign an Office 365 licence to someone until you say what country they are in, so their data is kept in the right jurisdiction. I know someone will reply...blah blah no true scotsman...but compare that to most saas that doesnt even give the option
Google is an advertising company that is literally built on non-consensual data harvesting. AWS is an outgrowth of Amazon, which is likewise massively invested in data mining (though mostly on Amazon itself).
Microsoft's telemetry in end user products is known to tech savvy people but the company is mostly known for its operating system and office suite that most businesses already use. Additionally in Germany Microsoft used to offload its enterprise services to Deutsche Telekom (or T-Online I think) operating them for MS under the Microsoft brand, thus appearing even more trustworthy by effectively handing over control to a well-known German company. This changed but reputation sticks.
Microsoft is now double dipping (they charge for the product and also monetize telemetry). They own linked in, github, office, teams and windows, and are combining those surveillance streams.
They continue to support the CLOUD act as a "first step":
A little advantage for EU analytics startups, disadvantage for all other EU startups and SMBs who have less options for figuring out what users like about their website and offerings.
Assuming any of that actually helps to grow revenue, or that it is the only way to find out what your users want. Plus, GDPR isn't making tracking illegal in general, it is just heavily regulating it. If it was just properly enforced, the internet would be a much nicer place...
Side note, I'm slowly getting tired of people ignoring regulations and compliance simply out of laziness.
So due to this legislations it is more costly/less profitable for a company to have a European customer compared to US customer. Things like GDPR/lawsuits/bad PR etc. doesn't come for free for companies. So if some startup has more ratio of European users it is at a disadvantage.
GDPR is rarely enforced, we are still In a transition phase and many who start out choose to just ignore it to a degree.
I don't see how it's more costly or less profitable. Judging by the amount of lawsuits per capita I think it's way more likely to get sued in the US than Europe. And guess what's more expensive or complicated for a European company?
Setting up something like Matomo instead of GA doesn't looks to me like a huge penalizing factor for a startup.
If anything, EU startups could benefit from better control over the tools they use. One interesting halo effect of Google seeing that much data is also that US startup from ex-googlers get a head start on many insights.
take data of your USA customers and sell it to the highest bidder without their consent or even knowledge as you please. don't complain that I have the right to know you do that and disagree to you doing that.
That seems to be a detail that a lot of people miss. Google, Facebook, etc. don't sell user data. What they do offer is services where they use that data to optimize ad delivery.
On my part, I'm not too concerned with that... they operate on a massive scale and no human is looking at my individual data. The result is me seeing fewer ads that are irrelevant, which is good for everyone (for example, no one benefits from showing me an ad for feminine hygiene products, and if Google and Facebook can make sure that doesn't happen, all the better).
or maybe EU is starring to rely on their own startups.
If I had to chose an analytics software for a customer's website, I'd chose someone in EU for the sole reason that it would be compliant in both EU and the rest of the World.
I am no EU citizen, however live in Europe and do tech startups. I welcome GDPR as well as this ruling.
It's unethical IMO to send personal data to countries that have weak privacy laws without making it absolutely clear to the user. Which is rarely the case with GA right now.
I switched most my projects to shynet, for me personally that's more than enough information and I have zero worries about tracking and know that some users appreciate my approach.
Edit:// even before GDPR became a thing I worked with several companies who had strict rules about hosting in Europe or even more explicit not hosting in the US.
Let me guess, you're from the US and user surveillance is beneficial to your business so naturally everyone with non-capitalist (read not $$$-centric) ideology is plain wrong. EU startups don't have to "catch up" or even compete with US start ups.
Does this imply that the EU is "non-capitalist" or something?
"EU startups don't have to "catch up"..." then don't get surprised when EU talent is poached by US and Asian HRs for x2-x3 rates. And before you're gonna talk about all those "free" (taxpayer funded) services and how no European would ever move to Asia or NA, i'd like to remind you that we're in the remote work world now :)
That's one way to read it, except it's more like "replying to a comment stating that EU startups (something that is about money) don't have to catch up to their US competitors with "sure, but don't get surprised when EU startups are going to be at a huge disadvantage when it comes to offering a worthy reward as a result of "not caring about money"".
As an EU citizen, I find it to be a huge improvement to detangle my data from US-American entities. Especially with the election of Trump and January 6th. Maybe Americans haven't fully realized what that meant for US-EU relations for the next hundreds of years. The US is just not a politically stable country until further notice.
Eh? Jan 6 wasn't very noteable (a bunch of disorganized protestors are let into congress, but the state was not meaningfully threatened), the US has long had political instabilities, the business plot was way worse, but who has heard of it now...
> since when EU became politically stable? Last time i checked you were at war with Russia.
Russia's attack on Ukraine has no relevance at all to whether the EU is or isn't politically stable.
There may be other reasons you can cite, in which case fair enough, but that example is a non-EU third party attacking a non-EU third party. And the EU is not at war with Russia.
EU did everything to start it, established economic blockade of Russia and sending weapons to Ukraine.
At this point it is a war between Russia and EU in Ukraine.
And? Even Russians don’t care about what their military believes in - see the hilariously low social status of soldiers within Russian society. Why would anyone else care? As a reminder, we are discussing whether EU is politically stable.
Ukraine is, not the EU. The US is at least as involved in the war as the EU is.
But I wouldn't call many EU countries very stable either. It can still be a win to not send private data to the US though, tracking has become far too precise and omnipresent.
Actually, the cookie layers of Google have become a lot better in recent months. I doubt that is was Googles initiative, so I think that all this legal stuff is making a difference. Yes, it is a very slow process, but what would be an alternative?
Yes it doesn't solve the startup problem, but honestly there also also a ton of other laws and regulations outside of data protection which make it hard for startups to prosper. Web Analytics seems a relatively minor problem.
Yikes... Have you ever heard of some of the alternatives?
I self-host Plausible which is GDPR compliant and gives me all of the features that Google Analytics is actually good for. There is so much bloat in GA that provides absolutely no extra value.
I'm skeptical that this is a bad deal for EU citizens.
Nah. The problem here is Google, not analytics in general. You can still use analytics as long as you do it in a privacy-first approach.
These laws also apply to US companies offering their services to in the EU. Frankly, it's about time American companies get reigned in on their privacy abuses. US startup culture has been playing fast and loose with people's data for far too long to disastrous effects.
That's assuming a European GDPR-compliant alternative to Google analytics wouldn't arise. But of course it will. It's not even a very difficult product to build. If anything this is both sticking it to Google and creating opportunities for European startups to fill the void.
The EU hasn’t shaken off their roots in monarchy. Using the power of the state to go after a single private entity since they have a blood feud with said entity and are now finding all sorts of excuses to hit them economically.
I’ve been following the cases with regard to privacy in the EU and it’s a complete joke. You have all these onerous rules against any web technology making it near impossible for startups to function without an army of lawyers. Think I’m exaggerating? Look up the provisions under GDPR for any business, big or small, to set up a website and then process a single user request for their data even without sign in.
The UK is sick and tired of this and has recently begun moving to ignore these onerous rules. All power to them.
You may be looking at this through a very narrow, heavily politicized lens.
First: GDPR is a compromise, so it's a bit uneven. That's partly due to lobbying by google and friends. Second, privacy very much needs protection. Even if you are perfectly fine giving up your privacy, other people aren't. Third: you can actually process user requests. Depending on how you do it, you don't even have to show a banner. Is that really too intrusive?
I mean, before accusing someone of looking at this politically, please read the comment fully.
You’re taking pains to explain why GDPR is a compromise? Why? If it’s bad law, it’s bad law.
Nothing you said invalidates the assertions I’ve made. Unless you’ve directly experienced the onerous system of regulations in places like Germany, I’d urge you to do more research before the armchair dismissal.
Presumably it's your opinion that it's a bad law. The majority of Europeans think it's a good law - possibly the best regulation the EU has ever promulgated.
Ie, onerous toward regular businesses
Ie, used to greatly expand bureaucracy and overhead
Ie, used by unelected bureaucrats to wage battles of personal vendetta against specific companies instead of doing what laws do, which is set unambiguous standards for all
In fact it's not at all onerous, unless you are determined to violate it's provisions. If your business doesn't depend on privacy violations, then the "bureaucracy" that GDPR calls for is trivially easy to implement. There are no licences, and no registration requirements. Provided you aren't playing fast and loose with the personal data of Europeans, you're fine.
There's no "personal vendettas" going on; can you substantiate that allegation at all? The GDPR applies to everyone equally. And unlike some laws, it's fairly easy to read; it's meant to be understood. Don't bother reading some biased summary of the Regulation; read the GDPR itself. That's the best guidance on the intent, and the best guidance on how to comply.
/me: former data protection officer at a web development outfit.
"iTs nOt aT aLl oNeRoUs" said the DPO. lol, what a clown. So all these companies scrambling to hire lawyers to document every single aspect of the "legal basis" or whatever nonsense is in the language are just crazy in your books?
And that's just ONE sub clause of a hundred or so.
The overhead is both in the arbitrary nature of the requirements (Good Laws are objective, not subjective) and the sheer lack of consistency in the enforcement is ridiculous for any European business. Consider the adequacy clause that's taken decades to litigate and is still fucking criminal as of this writing.
Answer this simple question: "Can I, as a small business use AWS services that may or may not have a compute instance located in the EU?". You know pretty well what the answer is there, so, basically every small business in the EU is in violation right now. And it's bureaucratic assholery that keeps this deliberately inconsistent so they can choose to enforce it at any point of their choosing (read, a negative PR cycle) - Monarchy, inconsistency, arbitrary and ambiguous rulemaking that has tossed out the interests of businesses.
The vendetta against Google is well documented and it's insulting for you to even say otherwise. Look at the most recent example of the CNIL (Frances privacy enforcement body, a part of the executive) choosing arbitrary standards and refusing to even elaborate on concrete standards for recommended analytics solutions that businesses may use. They have gone full psycho with not even wanting to give Google the opportunity to come into compliance with standards that they choose not to reveal and instead openly ask industry to turn Google Analytics off. Its ridiculous and bad for their own economies.
There's a difference between the way French and Germans write laws and the way we write them in the UK; I prefer the UK style, which leaves less room for interpretation.
> basically every small business in the EU is in violation right now
Only if they're handling personal data. Most small businesses don't.
Sure, if your business is collecting personal data, then GDPR is a problem for you; in the same way as the Road Traffic Act is a problem if you're determined to drive uninsured. If you want to sail close to the wind, then it's probably wise to lawyer-up.
And, of course, you don't have to use AWS.
> And it's bureaucratic assholery that keeps this deliberately inconsistent
That's not how I read it. The way I read it, GDPR is astonishingly lenient. Before they prosecute, they'll warn you; provide advice on how to come into compliance; and give you time to do it.
> choosing arbitrary standards
If GA involves depositing personal data in US jurisdiction, then you can't use GA in a GDPR jurisdiction. That's not vague or arbitrary. It may be - um - bold; But this law was flagged up years before it came into force. It's not as if the law came out of nowhere, and suddenly everyone's in violation.
> Its ridiculous and bad for their own economies.
Others have argued that GDPR is an attempt by the EU to steal Silicon Valley's breakfast, implying that it's good for European economies.
> There's a difference between the way French and Germans write laws..(and the U.k.)
Interesting way of saying they are bad laws. If you cannot, as a business have certainty in your prediction of the regulatory environment, you're pretty fucked. I wouldn't expect a piece of the bureaucratic establishment such as yourself to understand the struggles of setting up and running a business. What was your role as DPO again? An ornamental peace offering to the burdens imposed by regulation? Not all businesses have the luxury of throwing money at legal resources.
> Only if they're handling personal data. Most small businesses don't.Sure, if your business is collecting personal data, then GDPR is a problem for you; in the same way as the Road Traffic Act is a problem if you're determined to drive uninsured. If you want to sail close to the wind, then it's probably wise to lawyer-up.
It must take a special kind of asshole to say this. In just another one of your recent comments here you mention that even the mere presence of an IP address that ISNT EVEN STORED would put a business in violation and liable to large fines. So you pretty much agree that all small businesses are in violation if they use AWS in any reasonable way to run their business but you don't want to say it explicitly here since it makes you look bad. Gotcha.
> And, of course, you don't have to use AWS.
And of course, the European people elected you their lord and savior to tell businesses which tech stacks they pick and choose because of your interpretation of arbitrary laws. See the problem here yet?
> That's not how I read it. The way I read it, GDPR is astonishingly lenient.
Is it? So why did other member states of the EU take offense at the decision of the Irish DPA ? The one stop provision clearly stipulates that the onus of enforcement falls to the one stop shop and instead, the arbitrary nature of the law as it stands, other member states and bureaucrats in Brussels seem to deem it necessary to impose their will and personal vendettas against the perceived soft touch approach of an entity fully within their rights to do so.
> If GA involves depositing personal data in US jurisdiction, then you can't use GA in a GDPR jurisdiction
Has there been any warnings against AliCloud for instance? Or all the analytics bundles shipped in Huawei phones?
I can't seem to recall any press release or webpage dedicated to a single company like the CNIL and now Italian authorities have adopted towards Google Analytics?
Is there any oversight to these agencies allowed where these decisions are up to public scrutiny such as the FOIA act in the US to assure the public that these highly paid public officials are not wasting all their time and money chasing personal vendettas as seems to be the case here? Of course fucking not.
Is Google Analytics perfect? Maybe not. But this is the crucial point . . THE LEGISLATURE CANNOT DISCRIMINATE AGAINST A SINGLE ENTITY THIS WAY. While turning a blind eye to practices by Huawei and other companies, it is simply against the rule of law.
> Others have argued that GDPR is an attempt by the EU to steal Silicon Valley's breakfast, implying that it's good for European economies.
A weasel through and through. What else did i expect from someone in your position?
So, illegal abuse of power by Government to target a company is fine by you, Mr. DPO ?
> I wouldn't expect a piece of the bureaucratic establishment such as yourself
Good Lord, presumptions much?
I said I was DPO in my last job. I was also the main sysadmin, and as my main role a website developer. This was a company of 10 people including the bosses. Someone had to take on the role.
> It must take a special kind of asshole to say this.
It must take a special kind of asshole to say that, to someone you haven't met and know nothing about.
> but you don't want to say it explicitly here since it makes you look bad. Gotcha.
Not really; I've never evaluated AWS for compliance. The reason I didn't say that is because it's not something I know about. We didn't use AWS; I've used it, but in someone else's coding shop, where AWS compliance wasn't my concern.
May I suggest that you're a bit hasty with words like "clown", "asshole", "weasel" and "gotcha"?
> And of course, the European people elected you their lord and savior to tell businesses which tech stacks they pick and choose because of your interpretation of arbitrary laws. See the problem here yet?
How are things over there in Conclusions, where you seem to have jumped? I have never told anyone what tech stack they should use.
> THE LEGISLATURE CANNOT DISCRIMINATE AGAINST A SINGLE ENTITY THIS WAY.
Where in the GDPR is GA mentioned? Or AWS, for that matter?
For the sake of clarity, no legislature had anything to do with the GDPR; it was promulgated by the European Commission, an important part of the EU bureaucracy, and I have never worked for any part of the EU bureaucracy. In fact, I no longer even live in the EU.
> A weasel through and through. What else did i expect from someone in your position?
And what position is it, that you think I occupy? FTR, I'm a retired software developer. The position I occupy is sitting in an armchair.
> So, illegal abuse of power by Government to target a company is fine by you, Mr. DPO ?
Nope. In fact I'm also against legal abuse of power, whether by government or anyone else.
You seem to be very angry; perhaps social media is not for you.
The fact that you still can’t bring yourself to admit here what you did in another comment says more than I ever could.
ie, that any small or big business inadvertently sending even an IP address that isn’t even stored to touch a US based resource in something as innocuous as AWS.
Seeing your other recent comment here, it seems you’re just a moron with a nationalistic tendency to support your countrymen (and women). Oh well, objectivity dies and future generations on your continent suffer. Who cares, right? You’re retired.
If it's inadvertent, then they can remedy the error once they've been notified.
If an IP address is sent to the USA, then whether it's stored or not ceases to be a matter that European courts can oversee. Since US courts and European courts are not in accord on these matters, Europeans are faced with either banning the export of IP addresses to the USA, or giving up on legislating privacy at all. We chose the former.
> it seems you’re just a moron with a nationalistic tendency
Oh, more name-calling, and more conclusions jumped to. If you can't make an argument, make a personal insult, and decorate it with insulting epithets based on nothing at all.
> future generations on your continent suffer
Ah, you're not from these parts! I thought not. But in the light of that fact, it's our concern, not yours, right? So why do you get SO angry about European law? If you want to trade in Europe, you have to comply with European regulations. Same wherever you want to trade.
I don't approve of the US trade environment. For example, about half the world is under US trade sanctions; but you don't get me marching around accusing USAians of being morons, weazels, assholes, and clowns.
Perhaps the truth is that it is you that is the nationalist?
I don't care much what decisions random businesses make.
It has been my view for a long time that entrusting your infrastructure to the tender mercies of a firm like Amazon is reckless. Here we have a situation where the legal environment has changed; AWS hasn't changed to match; so those companies that chose to rely on a 3rd-party infrastructure provider appear to have made a mistake.
If I had been advising one of those companies, I would have advised them to bring critical infrastructure in-house. But there might have been other options, like using Europe-based infrastructure providers.
I've never been involved with budgets and so on. It's not my concern how much different solutions cost. I just think the principals of companies have a responsibility to avoid third-party risk - which is what you have, if you rely on a third-party for critical company infrastructure.
That's why I was able to persuade my employers to bring their email service in-house. It worked, and the bosses were pleased with the improved service and reliability. We also constructed our own in-house build and deployment train; that worked very nicely too.
Maybe the cost-benefits vary according to the type and size of business. I'm not a researcher, and I only know about the things I've looked into. But my guess is that AWS works well for companies that are after a quick buck (e.g. an IPO).
Well, read the thread above you. GDPR is so complex that even the people who passed it can’t tell you the scope given the intentional ambiguity.
I have officials in the EU on the record that IP addresses are deemed personal information and if your business uses AWS and unintentionally passed IP addresses over to any resource in the US, you are technically in violation.
Will you be hanged for this today? Probably not. But all it takes is one negative press cycle for the idiots there to interpret and enforce this as they have shown the willingness to do in the past.
The point about unelected bureaucrats isn’t the unelected part. It’s the lack of oversight or consequence or clear demarcation of legislative power from the executive.
The bureaucrats have taken it upon themselves to issue multiple specific rules that go over and beyond the text of any law. See the case of the CNIL in France. They had a court ruling around their rules for cookies on Google go against them and they continued to insist that they would enforce said law. They issued an “FAQ” on their website that indicated threatening language against businesses that flouted their previous comments that were now deemed incorrect by a court of law and had the audacity to press on.
> I have officials in the EU on the record that IP addresses are deemed personal information and if your business uses AWS and unintentionally passed IP addresses over to any resource in the US, you are technically in violation.
Of course, everybody knows that. You have to have good reasons to store people’s IP addresses (ie security logs, which must be disconnected from the tracking/telemetry system).
> Will you be hanged for this today? Probably not. But all it takes is one negative press cycle for the idiots there to interpret and enforce this as they have shown the willingness to do in the past.
If the regulator finds out that your analytics or recommendation system (which again is not the system where you store logs) is collecting and processing IP addresses without users’ consent, they will ask you to stop. If you don’t they will eventually fine you.
> The point about unelected bureaucrats isn’t the unelected part. It’s the lack of oversight or consequence or clear demarcation of legislative power from the executive.
GDPR has been made/negotiated by the European Parliament (which is elected directly), by the Council of the EU, which is composed by ministers of member states, and by the Commission (whose members are elected by the Parliament and the Council). These are the legislative and executive branches of the EU, not a bunch of unelected bureaucrats.
If you were referring to the regulator, well, all regulator bodies are made of “unelected bureaucrats” by design (that’s why they are referred to as “independent agencies”).
> The bureaucrats have taken it upon themselves to issue multiple specific rules that go over and beyond the text of any law. See the case of the CNIL in France. They had a court ruling around their rules for cookies on Google go against them and they continued to insist that they would enforce said law.
It seems that you are very agitated because the CNIL (some unelected bureaucrats) imposed a blanket ban on cookie walls and then the Council of State (some other unelected bureaucrats) held that such blanket ban could not be imposed. An honest observer would acknowledge that these things happen everyday (the Council of State wouldn’t otherwise exist), the matter is quite complex and that the gist of the matter hasn’t changed: “in order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information”. So one may still be fined for a cookie wall.
If what is upsetting you is instead a court case, the only one I could find is the recent 150mln€ fine that Google appealed on jurisdictions grounds and that was upheld, again, by the Council of State.
Either way, I wouldn’t get too agitated about complex court cases in foreign countries thousands of kilometres from my home and whose language I don’t speak.
> Like I said, the EU is an abusive monarchy
I will point to Proposition 7 of Wittgenstein’s Tractatus and I won’t indulge you further on this.
Lol. Thank you for agreeing. You're completely wrong about the fines part, it is discretionary. ie, if tomorrow, there is a negative press cycle, you will certainly be hit with any punishment of their choosing. The incremental warning and fines approach has no practical or legal basis.
If it does, get it in writing from __ANY__ entity entrusted with enforcing the GDPR, you will be laughed out of the room. Europe is a clown show. Ambiguity rules.
> These are the legislative and executive branches of the EU, not a bunch of unelected bureaucrats.
Oh really? Read my comment again. These assholes in the executive are directly changing the letter of the law. ie LEGISLATING.
They are further doing so with the stated objective of harming a single company. I can point you to the statements of a hundred or so elected officials, not least of all the president of the European Comission who said so in no uncertain terms when she was in the US for SXSW.
> It seems that you are very agitated because
I didn't ask you to diagnose anything, Dr. Phil. Sit the fuck down and read the comment again. The Council of State in France is who the CNIL reports to. They are the administrative justice Supreme Court.
When an agency goes fucking rogue against their oversight body while trying to kill a company, what else is it other than abuse of power? The very fact that you choose not to call this out makes me question your motives and judgement.
We have laws for a fucking reason. Not to print them out and hang them on the walls like ornaments but so there is discipline in the exercise of power entrusted in people with the power of Government. We can't have personal vendettas run through governmental office.
> I will point to Proposition 7 of Wittgenstein’s Tractatus and I won’t indulge you further on this.
Fancy. Should i be impressed? Does that disqualify all the abuse of power in your eyes?
> Lol. Thank you for agreeing. You're completely wrong about the fines part, it is discretionary. ie, if tomorrow, there is a negative press cycle, you will certainly be hit with any punishment of their choosing.
Not any punishment of their choosing, but according to Art. 83, that defines the maximum fine and the criteria to determine it.
This is not different from what the FDA or the SEC do in the USA. Or do you think they define exact fines for all possible misbehaviours up to the second decimal point regardless of mitigating factors or negligence?
> The incremental warning and fines approach has no practical or legal basis.
The legal basis is GDPR, which is a regulation of the EU. Do you mean that it goes against some EU treaties or rulings of the CJEU? Or the problem is that this notion upsets you somehow and you are telling me because you think I should do something about it?
> If it does, get it in writing from __ANY__ entity entrusted with enforcing the GDPR, you will be laughed out of the room. Europe is a clown show. Ambiguity rules.
I don’t understand what I should get in writing. Art. 83 of GDPR?
> Oh really? Read my comment again. These assholes in the executive are directly changing the letter of the law. ie LEGISLATING.
The Commission has the right of initiative, that is they propose laws that are approved by the Parliament. I’m not sure I understand what is upsetting you here.
Who are “these assholes in the executive” you are referring to? Are they the Commission or CNIL or both or none?
I don’t live in France, but I’m sure the CNIL is not making new laws. If it worries you, I can ask around.
> We have laws for a fucking reason. Not to print them out and hang them on the walls like ornaments but so there is discipline in the exercise of power entrusted in people with the power of Government. We can't have personal vendettas run through governmental office.
Which is why the Council of State blocked the CNIL and also why you should not get so upset.
> Fancy. Should i be impressed? Does that disqualify all the abuse of power in your eyes?
I won’t indulge you further on this.
To sum it up, you don’t seem aware of how the EU makes laws but yet you know enough to be very agitated. You are especially upset with French bureaucrats, because some of them made some mistake and other French bureaucrats corrected them. For avoidance of doubt we’ll certify that you are very upset with both groups and that you think something should be done about it.
If you’re illiterate or deliberately avoiding the issues I’ve highlighted, then all the best to you and your kind.
We’ve established that there is presently different outcomes for the same actions under European law. Ie, if you send IP addresses today to AWS, you could be deemed to be doing something illegal overnight subject to 4% of global revenue or 20 million euro fines.
This isn’t about cents or decimals, jackass. You know very well this is about coverage.
Under the FDA or any US agency, you have an option to appeal to an independent branch of government whose decisions are binding. Here, we see the opposite take place in France. Lawlessness. Monarchy. Being run through the bureaucracy. You can’t even bring yourself to admit that the CNIL arrogantly brushed off effectively the SUPREME COURT OF ADMINISTRATIVE JUSTICE. You say it’s a “mistake”?? Are you fucking kidding me? Deliberately doing to opposite of what your oversight agency rules is abuse of power.
Can a European citizen simply ever say “yeah, fuck the GDPR, I know that’s a law, but I won’t follow it, doesn’t apply to me?” Of course not. So what gives the CNIL the power to ignore their responsibilities under French and European law?
Even after being blocked by the Council of state, they chose to target an individual company with the exact thing that they were instructed is legal and they should not be interfering with. Respect laws only when you like them?
Clear abuse of power, horrible precedent for democracies and rule of law everywhere and most European assholes connected to politics i speak to behave the way you do, try to brush it under the carpet? Anyone with half a brain will be aghast at what is happening is the EU and if you clowns think discourse that defends assholery from the bureaucracy wins you any favors or makes Europeans lives any better, you more stupid than I’m giving you credit for here.
> Ie, if you send IP addresses today to AWS, you could be deemed to be doing something illegal overnight subject to 4% of global revenue or 20 million euro fines.
If you are breaking the law, if a regulator finds out, you may be deemed to be doing something illegal overnight. Yes, that’s how everything works everywhere. What is worrying you now? The sound of a GDPR breach in a forest where nobody can hear it?
> Under the FDA or any US agency, you have an option to appeal to an independent branch of government whose decisions are binding.
Of course you can file an appeal, just use Google, you’ll find plenty, some successful and some not.
> Here, we see the opposite take place in France. Lawlessness. Monarchy. Being run through the bureaucracy. You can’t even bring yourself to admit that the CNIL arrogantly brushed off effectively the SUPREME COURT OF ADMINISTRATIVE JUSTICE. You say it’s a “mistake”?? Are you fucking kidding me? Deliberately doing to opposite of what your oversight agency rules is abuse of power.
You are getting fixated on a very minor case of French administrative law, that you didn’t even care to understand. The ICO made a minor mistake in considering all cookie walls illegal. The Council of State said that they can’t make a blanket ban, but that they should evaluate all cookie walls individually. No fine has been annulled and the ICO can still deem your cookie wall illegal. So still no monarchy for you.
> Anyone with half a brain will be aghast at what is happening is the EU
Anyone with a half brain will at least spend some time understanding the issue at hand before getting excessively agitated.
Either you don’t understand technology or you’re a dunce. You’ve made a strong case for both in this thread.
By admitting data flows to us resources are illegal, you’ve just said that what you’re doing right now can be construed as illegal activity on the part of the website you’re on. HN is indeed hosted on us resources. You touch Microsoft excel and guess what? Us resources get your personal data.
So you’ve just basically admitted that under GDPR, all regular internet activity is illegal if it touches a US server. Hence “coverage”. Hence, everyone living under really, the discretion of the monarchs.
"Dunce", "dumbass". You lost this argument a long time ago - hurling insults and epithets tends to have that effect. But I'm sure you'll press on, and invoke Hitler soon.
> guess what? Us resources get your personal data.
From posting to HN? AFAIAA, HN only gets your IP address. GA gets your search history, which is a bit different.
Lol, the person above you admitted that IP addresses are enough to put you in violation.
It doesn't matter post that statement what your conclusions are. You have opened up every business to a liability of 4% global earnings or 20 million Euros WHICHEVER IS GREATER. . .at the sheer discretion of some illiterate fucks like yourself in Brussels.
> If you’re illiterate or deliberately avoiding the issues I’ve highlighted, then all the best to you and your kind.
Perhaps if you were to actually highlight the issues you claim to have highlighted, it might be easier for us and our "kind" (I don't know what "kind" I belong to). You rant about the European "monarchy", and the deficiencies of European bureaucracy; what about explaining your proposals for a reformed GDPR?
But I think you are opposed to any kind of privacy legislation. GDPR steams you up because it is privacy legislation that works. Well, that's fine; there are laws that USAians make that I'm opposed to. I'm not on-board with US lawmaking and judicial processes. That's fine too; I don't have to live or trade in the USA (and I did make a choice; I once lived in the USA).
I suspect that something about the GDPR must have bitten you quite badly - would you consider sharing what it was? It would be helpful if you avoided the "asshole", "weasel", "moron", "dumbass", "illiterate" language, and focused on what happened, and what the impact was.
NOTE: there are people here that don't seem to be good at spelling, but I don't think I've ever come across a post here that I would describe as "illiterate".
I seem to have touched a nerve lol. Here's my reform proposal for the GDPR:
1. Toss it out. All of it. In the present form, it is worthless.
2. Make privacy regulation simpler, not ten million pages and bureaucrats who are RIGHT NOW, abusing the power that all Europeans have entrusted them with.
3. Enable independent oversight. Consultations with technical committees of technology companies, Judicial reform to ensure there is no legislating from the bench, independent whistleblower handling to investigate abuses of power such as the CNIL case.
4. Separate the legislative, executive and punitive functions with very tight rules. We have assholes in Brussels so married to the idea that all tech is bad that they rebelled against the moves by the European Parliament to codify data transfer laws between the EU and US during Bidens visit. I mean, there is a limit to short sighted thinking.
5. Stop the political uncertainty with the multiple changes and the sheer amount of idiotic bureaucracy with multiple conflicting regulations where EVERY SINGLE FUCKING THING is a crime and instead, pick the most pressing issues: Cybersecurity, Data Handling, Data Sharing etc. It's ridiculous that we have 10,000 people obsessing over cookie banners while malicious hackers pilfer 100s of millions of peoples data because of a lack of political will to focus on cybersecurity.
On privacy legislation, my biggest gripe with the GDPR is it HAS DONE FUCK ALL for privacy. Apple has done more with the changes to iOS than the entire fucking EU with GDPR.
I am advocating for MORE effective legislation, not more INEFFECTIVE, burdensome, regressive regulation that enshrines the concentration of powers and makes innovation impossible.
1. Enlarge the definition of privacy legislation to cover EVERYTHING! Do you realize that EUROPEAN Intel agencies are not covered by the GDPR right now? While American Intel agencies are and Chinese Intel agencies are not even mentioned or challenged? How is that good for privacy when Huawei is essentially taking much of European market share while being run by a Govt enslaving a million Muslims in Xinjiang?
2. Make it less reliant on pure punitive measures and more an incentive+punitive set of objective measures to give companies the opportunity to innovate towards solutions. Right now, the stance by Europe has made only investing in lawyers the most appropriate choice. That or leave. No middle ground, no consultations, simply make villains of tech companies and that is the legacy of many regulators there.
3. Term limits on regulators. Limits and regulation on the people enforcing privacy legislation to ensure a balanced mind. Right now, go on Twitter and see the deranged rants of many of the people in these agencies who delight at the market share loss of Facebook or openly express glee whenever there is a bad press cycle outside of privacy for any of the companies they're supposed to be entrusted with passing judgements on. This is not a democracy. It's shameful.
4. Incentives that MINIMIZE liability for companies that meet objective standards that are reasonable. Right now, the approach is to hit them with the biggest stick you can find and hope and pray that it works out.
Many more, but along the same lines.
>I suspect that something about the GDPR must have bitten you quite badly
I've seen people simply struggle to achieve success that other parts of the world take for granted. This is TODAY . . in EUROPE of all places. You need to realize that bad political decisions are bad for everyone. I don't have skin in the game other than the feeling of watching someone drive off a cliff. So many people i speak to/interview/engage with from Europe who are young as SO very bright and talented and it's amazing to see how the very people they elected piss away time, resources and money on depleting the economy that these kids are going to grow up into for personal vendetta.
No one in their right mind will argue that the GDPR does a great job. It is very flawed legislation that will set the privacy movement back decades.
You don't seem to know what a monarch is. You're ranting about a French regulator; you don't seem to be aware that the French got rid of their monarchy before the American colonies did.
> if you clowns think discourse that defends assholery from the bureaucracy wins you any favors or makes Europeans lives any better, you more stupid than I’m giving you credit for here.
The value of your "credit" diminishes with each post you make. Apparently your view is that "Anyone with half a brain will be aghast at what is happening is the EU"; well, either Europeans are, in fact, aghast, or you're really referring to your own "countrymen", which I suspect is a rather small clique of USAian tech bros.
Have a chill-pill, dude. GDPR is European law, for Europeans. You don't have to come to Europe, and you don't have to trade here. If you stick to jurisdictions that don't, in your view, involve assholery, then everything's copacetic for everyone, right?
I have a strong sense that you want to trade in Europe, without having to comply with European law. That's not going to work.
> The EU hasn’t shaken off their roots in monarchy.
I know, right. I mean obviously the world's most famous royal family (our British one) isn't really a monarchy so that doesn't count. And they certainly don't get previews and vetos on our laws, or given hundreds of millions from the licence fees for offshore wind farms, or own a notable percentage of the land.
As for GDPR, compliance is pretty straightforward provided you aren't being shady to begin with.
And the new UK proposals are much worse and if they go through as they stand will be a nightmare for anyone serving UK visitors.
You are right that my point wasn't clear and I apologise for that.
Your comment started by saying that the EU (as a negative) has not shaken off monarchy and ended with a contrast with the UK (a positive comparison). My point was that the UK (I am British) is even more steeped in monarchy/tradition so that can't be the cause.
Then I addressed your complaints in the middle paragraph about the GDPR by pointing out that compliance is reasonably simple for sites already having good behaviour.
And finally as you started with the EU and ended with the UK I pointed out that the new UK proposals are more onerous than the GDPR ones (thanks to the verification requirement).
You're free to disagree, and again I apologise for not being clear enough, but those were my points.
> The UK is sick and tired of this and has recently begun moving to ignore these onerous rules. All power to them.
I don't think so; the UK passed the Data Protection Act 2018 just 4 years ago, to bring GDPR into UK law. That is: the DPA is normal statute legislation, unlike the GDPR itself, which is a bureaucrat-made regulation. The DPA was passed by both houses of Parliament.
So what are these mysterious moves to ignore the law? The only such moves I'm aware of are some plans to remove the European Court of Human Rights from UK law (ain't gonna happen - the ECHR is written into the Good Friday Agreement), and the UK's decision to ignore the decision of the ICJ concerning the Chagos Islands.
>I don't think so; the UK passed the Data Protection Act 2018 just 4 years ago, to bring GDPR into UK law.
This is wrong.
The Data Protection Act did not bring the GDPR in to UK law, GDPR became part of UK law as soon as it was passed because it's an EU regulation, and regulations have direct effect in all member states (which at the time it was passed included the UK).
The GDPR then became "retained EU law" by virtue of Section 3 of the European Union (Withdrawal) Act 2018, and was then modified (turning it in to the UK GDPR) by the The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. These regulations also amended the Data Protection Act, fwiw.
Instead of resorting to abuse and name-calling, let's hear your proposal for the kind of data-protection legislation you favour. Surely you're not advocating the ideas of the terminally-dim Nadine Dorries?
The simple fact is that if you allow unrestricted export of personal data from Europe to the USA, then European law can no longer control what use is made of that data, because the US courts won't enforce European restrictions. Are you advocating for Europeans to submit to the wild-west regime in the USA?
By the way, if you don't care to read my posts, you can always just not read them; they are all tagged with my handle at the top.
